On Tue, Mar 8, 2016 at 6:03 AM, Bogdan Purcareata <[email protected] > wrote:
> Thank you! > > Could you kindly cherry-pick this commit on the jethro branch as well? > Sorry I > failed to mention this in the initial patch. > Cherry picked to jethro. Bruce > > Thank you! > Bogdan P. > > On 07.03.2016 18:33, Bruce Ashfield wrote: > > merged to master. > > > > Bruce > > > > On Mon, Feb 29, 2016 at 10:27 AM, Bogdan Purcareata < > > [email protected]> wrote: > > > >> These patches address some warnings that LXC throws when running > >> an application container. They are currently applied in the official > >> repository. > >> > >> Signed-off-by: Bogdan Purcareata <[email protected]> > >> --- > >> ...s-Create-dev-shm-folder-if-it-doesn-t-exi.patch | 39 ++++++++++++ > >> ...if_needed-only-safe-mount-when-rootfs-is-.patch | 69 > >> ++++++++++++++++++++++ > >> ...t_symlink-Account-when-prefix-is-empty-st.patch | 37 ++++++++++++ > >> recipes-containers/lxc/lxc_1.1.4.bb | 3 + > >> 4 files changed, 148 insertions(+) > >> create mode 100644 > >> > recipes-containers/lxc/files/lxc_setup_fs-Create-dev-shm-folder-if-it-doesn-t-exi.patch > >> create mode 100644 > >> > recipes-containers/lxc/files/mount_proc_if_needed-only-safe-mount-when-rootfs-is-.patch > >> create mode 100644 > >> > recipes-containers/lxc/files/open_without_symlink-Account-when-prefix-is-empty-st.patch > >> > >> diff --git > >> > a/recipes-containers/lxc/files/lxc_setup_fs-Create-dev-shm-folder-if-it-doesn-t-exi.patch > >> > b/recipes-containers/lxc/files/lxc_setup_fs-Create-dev-shm-folder-if-it-doesn-t-exi.patch > >> new file mode 100644 > >> index 0000000..751a7ac > >> --- /dev/null > >> +++ > >> > b/recipes-containers/lxc/files/lxc_setup_fs-Create-dev-shm-folder-if-it-doesn-t-exi.patch > >> @@ -0,0 +1,39 @@ > >> +From 81e3c9cf8b2f230d761738da28e9dc69fb90ec46 Mon Sep 17 00:00:00 2001 > >> +From: Bogdan Purcareata <[email protected]> > >> +Date: Fri, 8 Jan 2016 15:38:44 +0000 > >> +Subject: [PATCH] lxc_setup_fs: Create /dev/shm folder if it doesn't > exist > >> + > >> +When running application containers with lxc-execute, /dev is > >> +populated only with device entries. Since /dev is a tmpfs mount in > >> +the container environment, the /dev/shm folder not being present is not > >> +a sufficient reason for the /dev/shm mount to fail. > >> + > >> +Create the /dev/shm directory if not present. > >> + > >> +Upstream-status: Accepted > >> +[ > >> > https://github.com/lxc/lxc/commit/81e3c9cf8b2f230d761738da28e9dc69fb90ec46 > >> ] > >> + > >> +Signed-off-by: Bogdan Purcareata <[email protected]> > >> +Acked-by: Serge E. Hallyn <[email protected]> > >> +--- > >> + src/lxc/initutils.c | 4 ++++ > >> + 1 file changed, 4 insertions(+) > >> + > >> +diff --git a/src/lxc/initutils.c b/src/lxc/initutils.c > >> +index 45df60f..8d9016c 100644 > >> +--- a/src/lxc/initutils.c > >> ++++ b/src/lxc/initutils.c > >> +@@ -47,6 +47,10 @@ extern void lxc_setup_fs(void) > >> + if (mount_fs("proc", "/proc", "proc")) > >> + INFO("failed to remount proc"); > >> + > >> ++ /* if /dev has been populated by us, /dev/shm does not exist */ > >> ++ if (access("/dev/shm", F_OK) && mkdir("/dev/shm", 0777)) > >> ++ INFO("failed to create /dev/shm"); > >> ++ > >> + /* if we can't mount /dev/shm, continue anyway */ > >> + if (mount_fs("shmfs", "/dev/shm", "tmpfs")) > >> + INFO("failed to mount /dev/shm"); > >> +-- > >> +1.9.1 > >> + > >> diff --git > >> > a/recipes-containers/lxc/files/mount_proc_if_needed-only-safe-mount-when-rootfs-is-.patch > >> > b/recipes-containers/lxc/files/mount_proc_if_needed-only-safe-mount-when-rootfs-is-.patch > >> new file mode 100644 > >> index 0000000..c3afd85 > >> --- /dev/null > >> +++ > >> > b/recipes-containers/lxc/files/mount_proc_if_needed-only-safe-mount-when-rootfs-is-.patch > >> @@ -0,0 +1,69 @@ > >> +From f267d6668e3a95cb2247accb169cf1bc7f8ffcab Mon Sep 17 00:00:00 2001 > >> +From: Bogdan Purcareata <[email protected]> > >> +Date: Wed, 20 Jan 2016 10:53:57 +0000 > >> +Subject: [PATCH] mount_proc_if_needed: only safe mount when rootfs is > >> defined > >> + > >> +The safe_mount function was introduced in order to address > CVE-2015-1335, > >> +one of the vulnerabilities being a mount with a symlink for the > >> +destination path. In scenarios such as lxc-execute with no rootfs, the > >> +destination path is the host /proc, which is previously mounted by the > >> +host, and is unmounted and mounted again in a new set of namespaces, > >> +therefore eliminating the need to check for it being a symlink. > >> + > >> +Mount the rootfs normally if the rootfs is NULL, keep the safe mount > >> +only for scenarios where a different rootfs is defined. > >> + > >> +Upstream-status: Accepted > >> +[ > >> > https://github.com/lxc/lxc/commit/f267d6668e3a95cb2247accb169cf1bc7f8ffcab > >> ] > >> + > >> +Signed-off-by: Bogdan Purcareata <[email protected]> > >> +Acked-by: Serge E. Hallyn <[email protected]> > >> +--- > >> + src/lxc/conf.c | 1 + > >> + src/lxc/utils.c | 10 +++++++++- > >> + 2 files changed, 10 insertions(+), 1 deletion(-) > >> + > >> +diff --git a/src/lxc/conf.c b/src/lxc/conf.c > >> +index 632dde3..1e30c0c 100644 > >> +--- a/src/lxc/conf.c > >> ++++ b/src/lxc/conf.c > >> +@@ -3509,6 +3509,7 @@ int ttys_shift_ids(struct lxc_conf *c) > >> + return 0; > >> + } > >> + > >> ++/* NOTE: not to be called from inside the container namespace! */ > >> + int tmp_proc_mount(struct lxc_conf *lxc_conf) > >> + { > >> + int mounted; > >> +diff --git a/src/lxc/utils.c b/src/lxc/utils.c > >> +index 4e96a50..0bc7a20 100644 > >> +--- a/src/lxc/utils.c > >> ++++ b/src/lxc/utils.c > >> +@@ -1704,6 +1704,8 @@ int safe_mount(const char *src, const char *dest, > >> const char *fstype, > >> + * > >> + * Returns < 0 on failure, 0 if the correct proc was already mounted > >> + * and 1 if a new proc was mounted. > >> ++ * > >> ++ * NOTE: not to be called from inside the container namespace! > >> + */ > >> + int mount_proc_if_needed(const char *rootfs) > >> + { > >> +@@ -1737,8 +1739,14 @@ int mount_proc_if_needed(const char *rootfs) > >> + return 0; > >> + > >> + domount: > >> +- if (safe_mount("proc", path, "proc", 0, NULL, rootfs) < 0) > >> ++ if (!strcmp(rootfs,"")) /* rootfs is NULL */ > >> ++ ret = mount("proc", path, "proc", 0, NULL); > >> ++ else > >> ++ ret = safe_mount("proc", path, "proc", 0, NULL, rootfs); > >> ++ > >> ++ if (ret < 0) > >> + return -1; > >> ++ > >> + INFO("Mounted /proc in container for security transition"); > >> + return 1; > >> + } > >> +-- > >> +1.9.1 > >> + > >> diff --git > >> > a/recipes-containers/lxc/files/open_without_symlink-Account-when-prefix-is-empty-st.patch > >> > b/recipes-containers/lxc/files/open_without_symlink-Account-when-prefix-is-empty-st.patch > >> new file mode 100644 > >> index 0000000..28f9889 > >> --- /dev/null > >> +++ > >> > b/recipes-containers/lxc/files/open_without_symlink-Account-when-prefix-is-empty-st.patch > >> @@ -0,0 +1,37 @@ > >> +From 01074e5b34719537cef474c6b81d4f55e6427639 Mon Sep 17 00:00:00 2001 > >> +From: Bogdan Purcareata <[email protected]> > >> +Date: Fri, 8 Jan 2016 15:38:35 +0000 > >> +Subject: [PATCH] open_without_symlink: Account when prefix is empty > string > >> + > >> +In the current implementation, the open_without_symlink function > >> +will default to opening the root mount only if the passed rootfs > >> +prefix is null. It doesn't account for the case where this prefix > >> +is passed as an empty string. > >> + > >> +Properly handle this second case as well. > >> + > >> +Upstream-Status: Accepted > >> +[ > >> > https://github.com/lxc/lxc/commit/01074e5b34719537cef474c6b81d4f55e6427639 > >> ] > >> + > >> +Signed-off-by: Bogdan Purcareata <[email protected]> > >> +Acked-by: Serge E. Hallyn <[email protected]> > >> +--- > >> + src/lxc/utils.c | 2 +- > >> + 1 file changed, 1 insertion(+), 1 deletion(-) > >> + > >> +diff --git a/src/lxc/utils.c b/src/lxc/utils.c > >> +index ed8c4c4..4e96a50 100644 > >> +--- a/src/lxc/utils.c > >> ++++ b/src/lxc/utils.c > >> +@@ -1575,7 +1575,7 @@ static int open_without_symlink(const char > *target, > >> const char *prefix_skip) > >> + fulllen = strlen(target); > >> + > >> + /* make sure prefix-skip makes sense */ > >> +- if (prefix_skip) { > >> ++ if (prefix_skip && strlen(prefix_skip) > 0) { > >> + curlen = strlen(prefix_skip); > >> + if (!is_subdir(target, prefix_skip, curlen)) { > >> + ERROR("WHOA there - target '%s' didn't start > with > >> prefix '%s'", > >> +-- > >> +1.9.1 > >> + > >> diff --git a/recipes-containers/lxc/lxc_1.1.4.bb > b/recipes-containers/lxc/ > >> lxc_1.1.4.bb > >> index 4006deb..e017dcf 100644 > >> --- a/recipes-containers/lxc/lxc_1.1.4.bb > >> +++ b/recipes-containers/lxc/lxc_1.1.4.bb > >> @@ -34,6 +34,9 @@ SRC_URI = " > >> http://linuxcontainers.org/downloads/${BPN}-${PV}.tar.gz \ > >> file://make-some-OpenSSH-tools-optional.patch \ > >> file://lxc-doc-upgrade-to-use-docbook-3.1-DTD.patch \ > >> > file://logs-optionally-use-base-filenames-to-report-src-fil.patch \ > >> + > file://open_without_symlink-Account-when-prefix-is-empty-st.patch \ > >> + > file://lxc_setup_fs-Create-dev-shm-folder-if-it-doesn-t-exi.patch \ > >> + > file://mount_proc_if_needed-only-safe-mount-when-rootfs-is-.patch \ > >> " > >> > >> SRC_URI[md5sum] = "d33c4bd9c57755c0e2b0e2acbc3f171d" > >> -- > >> 1.9.1 > >> > >> -- > >> _______________________________________________ > >> meta-virtualization mailing list > >> [email protected] > >> https://lists.yoctoproject.org/listinfo/meta-virtualization > >> > > > > > > > -- "Thou shalt not follow the NULL pointer, for chaos and madness await thee at its end"
-- _______________________________________________ meta-virtualization mailing list [email protected] https://lists.yoctoproject.org/listinfo/meta-virtualization
